Cisco ASA 5510 how to clear access list rule that is cached

no access-list outside_access_in extended deny ip host 24.xxx.xxx.xxx any
access-group outside_access_in in interface outside

I removed this deny on this ip- but that IP still cannot access the network since i removed it.

Is there a clear command on the ASA to clear an active acl? I am getting Deny TCP (no connection) .... RST flags for this ip-

trininfo17Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael OrtegaSales & Systems EngineerCommented:
How about just power cycling the firewall?

MO
0
trininfo17Author Commented:
Not really an option the asa's are high availability mode and concurrency is high so it would require a scheduled downtime request.  trying to do this live
0
Michael OrtegaSales & Systems EngineerCommented:
If they are High Avail then a reboot should affect anything on a reboot, right?

MO
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

trininfo17Author Commented:
no because they are stateful - standby gets exact running-config as active.  
0
Michael OrtegaSales & Systems EngineerCommented:
Gotcha. I just assumed you were active/active. Can you post your running-config? Please blank out any sensitive information.

MO
0
Michael OrtegaSales & Systems EngineerCommented:
Have you already tried to clear the access-list counter?

clear access-list counter outside_access_in

MO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
trininfo17Author Commented:
yes - tried clear xlate and clear access-list counters

pasting in the running config isnt going to be too useful-- all other appropriate traffic passes as prescribed.  Its just this one deny ip rule that was removed--  it doesnt seem to be removed as traffic from that IP gets the following:

6|Mar 26 2010 12:50:42|106015: Deny TCP (no connection) from 24.xxx.xxx.xxx/4949 to 24.xxx.xxx.xxx/21 flags RST  on interface outside
6|Mar 26 2010 12:50:42|302014: Teardown TCP connection 24474959 for outside:24.xxx.xxx.xxx/4949 to inside:10.xxx.xxx.xxx/21 duration 0:00:00 bytes 101 TCP FINs
6|Mar 26 2010 12:50:42|302013: Built inbound TCP connection 24474959 for outside:24.xxx.xxx.xxx/4949 (24.xxx.xxx.xxx/4949) to inside:10.xxx.xxx.xxx/21 (24.xxx.xxx.xxx/21)

Open in new window

0
Michael OrtegaSales & Systems EngineerCommented:
There doesn't seem to be any else you can do, but reload the device. Have you tried a call to Cisco yet? 24/7 phone support even if the ASA isn't under a current SmartNET subscription. I recommend you give Cisco a call or hold out until you can reload the unit, and see what happens after it starts back up.

MO
0
trininfo17Author Commented:
i had to use the GUI to save the access list-- that cleared the cache
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.